Entrust nShield HSM for SSL Decryption for Out-of-Band Tools

Required License: Included with SSL Decryption for Out-of-Band Tools

Starting in software version 5.3, Entrust nShield Hardware Security Module (HSM) is integrated with Passive SSL decryption. Hardware Security Modules offer secure storage, management, and operation of cryptographic material, such as private keys and passphrases. The HSM stores and manages the keys in a safe and secure environment. Since the keys reside on HSM in the network, they are offloaded from an application on a network device.

The application could be a web server or a database server, but, in the case of SSL decryption for out-of-band tools, the application is GigaSMART. The application interfaces with HSM to use the keys that are stored. There must be network connectivity between HSM and the application.

Keys are added to the HSM by an administrator. When an application’s key is on HSM, the HSM creates an application key token. The key token is sent to the application. When the application wants to use a key, the application sends the token to HSM, which establishes a session with HSM to use the key. In this way, the use of keys by the application is secure because only key tokens are exchanged.

You can use Remote File System (RFS), a component in HSM to store and manage encrypted keys. The RFS helps to automate the key distribution process. You can enable RFS on the GigaVUE‑OS device using GigaVUE‑FM so that the device can access the encrypted keys stored in RFS. You can synchronize RFS with GigaVUE‑OS device to perform a bulk download of the encrypted keys.

Entrust nShield HSM is supported on GigaVUE‑HC1, GigaVUE‑HC2, GigaVUE‑HC3 and Generation 3 GigaSMART card (SMT-HC1-S).

Keep in mind the following rules and notes before you configure and use HSM to store and manage keys:

■   GigaSMART uses keys that are already stored on the HSM. There is no key generation.
■   The key token that is uploaded to GigaSMART can only be in PKCS11 format.
■   Only RSA keys (private keys) are supported.
■   Keys are module-protected. With module-protection, the application is a registered client that does not need to log in to the HSM.
■   The network connectivity between the HSM and GigaSMART must use a static IP address. Do not use DHCP because the IP address needs to remain the same.
■   Only IPv4 addresses are supported.
■   Each GigaSMART card that interfaces with the Entrust nShield HSM will use one Entrust nShield license.
■   Clustering is not supported.
■   Increase the HSM timeout to 5000ms when using 4K size keys for decryption.

This section provides topics on how to configure and use HSM for SSL decryption for out-of-band tools:

Add at least one HSM appliance by specifying an alias, a static IP address, and port number. Obtain the ESN and KNETI from your HSM administrator.

To access GigaSMART within GigaVUE‑FM, access a device that has been added to GigaVUE‑FM from the GigaVUE‑FM interface. GigaSMART appears in the navigation pane of the device view on supported devices. Refer to the Access GigaSMART from GigaVUE‑FM for details.

To add an HSM appliance, do the following:

  1. From the device view, go to GigaSMART> Passive SSL > HSM.
  2. Click Add.

Figure 127 Adding a New HSM Appliance
  1. In the Alias field, enter a name for the HSM appliance.
  2. Enter a valid IP address and Port Number.
  3. Enter the ESN and KNETI that you obtained from the HSM administrator.
  4. Choose one of the following methods to select the required key handler file:
    • Install from URL—Enter a valid directory path including the file name and enter the password to access the server.

      • Note:  SCP, SFTP, HTTP, FTP, and TFTP are the supported protocols from where you can select the key handler file.

    • Install from Local Directory—Browse and select the key handler file from your local directory.
  5. Click OK.
1.   From the device view, go to GigaSMART > Passive SSL > HSM.
2. Select the HSM appliance you just created.
3. Click Configure.
4. Choose one of the following methods to install the key handler file:
o   Install from URL—Enter a valid directory path including the file name and enter the password to access the server.

    Note:  SCP, SFTP, HTTP, FTP, and TFTP are the supported protocols from where you can select the key handler file.

o   Install from Local Directory—Browse and select the key handler file from your local directory.

Note:  Ensure that the file name is "world"

Figure 128 HSM-Configure Key Handler
5. Click OK.

Each GigaSMART card requires IP address configuration for network access. To configure IP address details:

1.   From the device view, go to GigaSMART > Passive SSL > Network Access.
2. Select the GigaSMART appliance.
3. Click Edit.
4. Enter IP Address, Netmask, Gateway, DNS, MTU and VLAN parameters.
5. Select the required management interface.

Figure 129 Passive SSL Network Access - IP Configuration
6. Click OK.

Use Remote File System (RFS), a component in HSM to store and manage encrypted keys. The RFS helps to automate the key distribution process. You can enable RFS on the GigaVUE‑OS device using GigaVUE‑FM so that the device can access the encrypted keys stored in RFS. You can synchronize RFS with GigaVUE‑OS device to perform a bulk download of the encrypted keys.

Refer to the following sections:

■   Add RFS to GigaVUE‑OS Device
■   Map Encrypted Keys with Servers

Add RFS to GigaVUE‑OS Device

To add and synchronize RFS to the GigaVUE‑OS device:

1.   From the device view, go to GigaSMART > Passive SSL > Key Mapping.
2. In the RFS section, click Add. The Add RFS page appears.
3. Enter the IP address of the RFS where the encrypted keys are stored.
4. Select the Enable check box next to the Automatic Sync field to automatically synchronize the RFS with the GigaVUE‑OS device.
5. In the Sync Period field, enter the time interval for synchronization in hours.
6. Click OK.

The details of the RFS, such as the IP address, sync period, last sync time, next sync time, and the total number of keys stored and managed in the RFS appears in the RFS section. Click the Show Details link next to the Total Keys column to view the key token and key name mapping for the encrypted keys stored in RFS.

You can choose to modify the Sync Period and Automatic Sync fields for the RFS you have added. Click the server IP address to open the RFS quick view, and then click Edit.

Click Sync to manually synchronize the RFS and the GigaVUE‑OS device to fetch the latest encrypted keys from RFS at any point in time.

Map Encrypted Keys with Servers

A key name or a key token must be mapped to a server IP address. A total of up to 1000 key mappings is allowed per RFS. You can either manually map the keys with the servers or do a bulk key mapping using a text file. If a key mapping already exists, the new key mapping will be rejected. You must delete the existing key mapping to add the new mapping.

To map a key name or key token to a server IP address:

1.   From the device view, go to GigaSMART > Passive SSL > Key Mapping.
2. In the Key Mapping section, click Add. The Add Key Mapping page appears.
3. Choose one of the following type to map the keys with the server IP address:
o   Manual—Manually map the key name or key token to the server IP address. You must keep adding the key mapping one at a time.
o   From URL—Create a text file with the key mappings and upload it to a server. Enter a valid directory path including the text file name and enter the password to access the server. It is recommended to use a secure protocol, such as SCP or HTTPS to access the URL.
o   From Local Directory—Create a text file with the key mappings and save the text file in your local directory. Browse and select the text file from your local directory.
4. Click Submit.

To configure a GigaSMART group for passive SSL:

1.   From the device view, go to GigaSMART > GigaSMART Groups.
2. Click New.
3. In the Alias field, enter a name for the GigaSMART group that you are creating for Passive SSL.
4. From the Port List drop-down list, select the required port you want to associate with this group.
5. Scroll down to the GigaSMART Parameters > Passive SSL section of the page, and then select the Enable HSM check box.

Figure 130 GigaSMART Group Setup Page
6. Click OK.

To create a GigaSMART operation with an SSL Decryption component:

1.   From the device view, go to GigaSMART > GigaSMART Operations (GSOP) > GigaSMART Operation.
2. Click New.
3. In the Alias field, enter a name for the GigaSMART operation.
4. From the GigaSMART Group drop-down list, select the GigaSMART group that you have created for passive SSL.
5. From the GigaSMART Operations (GSOP) drop-down list, select SSL Decryption.

Figure 131 GigaSMART Operations - Setup Page
6. Click OK.

Before uploading keys or configuring SSL, you must create an SSL keychain password. The password is used to encrypt the private keys that you upload to the node.

Note:  When uploading SSL keys, make sure that you are not creating a duplicate key. Adding a duplicate key can cause errors.

To create an SSL keychain password:

1.   From the device view, go to GigaSMART > Passive SSL > Key Store.
2. Click Keychain Password.

Figure 132 SSL Keychain Password Setup Page
3. In the Password and Confirm Password fields, enter a valid password. Ensure that the password meets the following specifications:
o   Password must be at least ten (10) characters in length.
o   Password must contain at least one:
o   uppercase letters
o   lowercase letters
o   numbers
o   special characters
4. Click Submit.

To upload an SSL private key:

1.   From the device view, go to GigaSMART >Passive SSL > Key Store to open the Key Store page.
2. Click Install. The SSL Key page appears.

Figure 133 SSL Key Page
3. In the Alias field, enter a name for the SSL key.
4. Select the Key Upload Type as Private Key. Ensure that the key token is in PKCS11 format.
5. Choose the file. The URL can be downloaded using HTTP, HTTPS, FTP, TFTP, SCP, and SFTP. It is recommended to use a secure protocol, such as HTTPS.
6. Click Save.

After you have uploaded a private key, you can add a service. A service maps to a physical server, such as an HTTP server. One server can run multiple services. A service is a combination of an IP address and a server port number. Also, the key and the service must be tied together.

To create an SSL service:

1.   From the device view, go to GigaSMART > Passive SSL > SSL Services.
2. Click New. The SSL Service page appears.

Figure 134 SSL Service
3. In the Alias field, enter a name for the SSL service.
4. Map the SSL service to a server IP address and a server port using one of the following methods:
o   Select the Enabled check box next to the Default Service field to dynamically map the server IP address and server port.

Note:  If you select the Enabled check box, the Server IP Address and Server Port fields are disabled.

o   In the Server IP Address and Server Port fields, enter an IP address and port to which you want to map the SSL service.
5. From the SSL Key Alias drop-down list, select the name of the SSL Key previously uploaded.
6. From the GS Group drop-down list, select the GigaSMART group with SSL decryption enabled to associate with this SSL service.
7. Click OK.
1.   From the device view, go to Maps > Maps.
2. Click New.
3. Configure the map.

Figure 135 Create New Map
o   Type map11 in the Alias field.
o   Select Regular for Type.
o   Select ByRule for Subtype.
o   Select the network port for the Source.
o   Select Tool port/Hybrid port for Destination.

Figure 136 Configure Map Details
4. Add a Rule.

Figure 137 Figure 20-123: Map Details - Create Rule
a. Click Add a Rule.
b. Select Pass.
c. Select IPv4 Version and set Version to v4.
5. Click Save.